bitrat | fe8c9e7b5df84863cebeffb7f7a6a9de7e1cfccce1a0882618438ba16b3b2780

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76ac21d5d094a33fc1fcc0215bbcc123.exe
Size

4.0MB
MD5

76ac21d5d094a33fc1fcc0215bbcc123
SHA1

03aff12ac59f59a3e1c4c7ee1e79ea5840bc66bb
SHA256

fe8c9e7b5df84863cebeffb7f7a6a9de7e1cfccce1a0882618438ba16b3b2780
SHA512

3508f02a6d96e2988b5a232d44ffc6e7979ce3eb1c7f640417f1b1029f1e0f94f9682d95d72c108a3e2b1d706ce774d6ff140a07e4aa42565604cd2ca9a12612
SSDEEP

98304:YZVblz+5RHSRptwRWNcKr709xNG8W9pIbV50OqnwhIjIlb3r:YZV5zayRQpXi7IbsDNU

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

8.208.27.150:4550

Attributes

communication_password
9996535e07258a7bbfd8b132435c5962
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	76ac21d5d094a33fc1fcc0215bbcc123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	loader32biut.exe

Executes dropped EXE 1 IoCs

pid	Process
1476	loader32biut.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3708 set thread context of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 1476 set thread context of 1632	1476	loader32biut.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1352	2252	WerFault.exe	90
792	1632	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4448	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe
Token: SeDebugPrivilege	1476	loader32biut.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 2888	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	89
PID 3708 wrote to memory of 2888	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	89
PID 3708 wrote to memory of 2888	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	89
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 2252	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	90
PID 3708 wrote to memory of 1084	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	102
PID 3708 wrote to memory of 1084	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	102
PID 3708 wrote to memory of 1084	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	102
PID 3708 wrote to memory of 4584	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	104
PID 3708 wrote to memory of 4584	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	104
PID 3708 wrote to memory of 4584	3708	76ac21d5d094a33fc1fcc0215bbcc123.exe	104
PID 1084 wrote to memory of 4448	1084	cmd.exe	106
PID 1084 wrote to memory of 4448	1084	cmd.exe	106
PID 1084 wrote to memory of 4448	1084	cmd.exe	106
PID 1476 wrote to memory of 2080	1476	loader32biut.exe	108
PID 1476 wrote to memory of 2080	1476	loader32biut.exe	108
PID 1476 wrote to memory of 2080	1476	loader32biut.exe	108
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110
PID 1476 wrote to memory of 1632	1476	loader32biut.exe	110

C:\Users\Admin\AppData\Local\Temp\76ac21d5d094a33fc1fcc0215bbcc123.exe
"C:\Users\Admin\AppData\Local\Temp\76ac21d5d094a33fc1fcc0215bbcc123.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 188
    3⤵
    - Program crash
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\76ac21d5d094a33fc1fcc0215bbcc123.exe" "C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe"
  2⤵
  PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 2252
1⤵
PID:2392

C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe
C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 188
    3⤵
    - Program crash
    PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1632 -ip 1632
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe

Filesize
3.3MB

MD5
9b4c6a9506bca6f8a0abe98159f655de

SHA1
c53c926ca0bb1fa785a0033afe8169851cac3384

SHA256
2ef5fe0c4db1286a05258d2db599242af8003d0de56f6d1433d659b094c169b3

SHA512
a3a820333d99fd0d6d43f9b2da19f3d2113bebed6844cb1e87e008d6802eefaf224f3221a76190bcb9a3633571d5a3eac1782d707d54cfab71fc50f7d5aa3d3a

Download Submit
C:\Users\Admin\AppData\Roaming\loader32biut\loader32biut.exe

Filesize
3.4MB

MD5
ec9faa55c94491f49751958c36c57d1d

SHA1
dd29a279a70a62d36ea2e27cf0f77798e898fd90

SHA256
cfa9682303838c843415773a21a39b9b6db33bc018703d01d60dd7ba42f0dcbc

SHA512
8b34b751637472366898783e60175c576aaf9229138dc7e5f8234096c821cbab06aba54d598b3cfb8a549c71c2ac2a41f83855a456269298eb6517b554e0188d

Download Submit
memory/1476-36-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1476-35-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1476-23-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/1476-24-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/1476-22-0x0000000000670000-0x0000000000A78000-memory.dmp

Filesize
4.0MB

Download
memory/1632-34-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/1632-30-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/2252-7-0x0000000000EB0000-0x000000000127E000-memory.dmp

Filesize
3.8MB

Download
memory/2252-11-0x0000000000EB0000-0x000000000127E000-memory.dmp

Filesize
3.8MB

Download
memory/2252-15-0x0000000000EB0000-0x000000000127E000-memory.dmp

Filesize
3.8MB

Download
memory/3708-5-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/3708-17-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3708-16-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3708-0-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/3708-4-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3708-3-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/3708-2-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download
memory/3708-1-0x0000000000A30000-0x0000000000E38000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads